07-07-2009 06:28 AM
Hi,
I've configured two IPsec VPN, one site to site VPN between two routers cisco 2811 and the other between one of the routers and a VPN Cisco Client.
But, I have one problem. If I add the command for the VPN Cisco Client:
crypto map IPSEC_VPN client authentication list userauthen
the other vpn is never up, and if I remove it I don't know the security implications, because I can connectonly with the VPN client user and password, but without router user and password.
Could anybody tell me the better way to configure this two VPN?
This is the current configuration:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key mykey address xxx.xxx.xxx.xxx
!
crypto isakmp client configuration group 1client
key 123
pool ippool
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map IPSEC_VPN client authentication list userauthen
crypto map IPSEC_VPN isakmp authorization list groupauthor
crypto map IPSEC_VPN client configuration address respond
!
crypto map IPSEC_VPN 3 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set ESP-3DES-SHA
match address 103
crypto map IPSEC_VPN 10 ipsec-isakmp dynamic dynmap
!
interface Tunnel1
ip address 10.1.1.14 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xxx.xxx.xxx.xxx
crypto map IPSEC_VPN
!
!
interface FastEthernet0/0
description Interface WAN
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
crypto map IPSEC_VPN
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
load-interval 30
!
ip local pool ippool 192.168.2.100 192.168.2.110
!
...
Thanks and regards
07-07-2009 09:51 AM
07-09-2009 12:09 AM
Thanks for your help.
I'm modifying the config but I have a doubt, if my LAN is 192.168.2.0, how do I configure the access-list 150?
access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
And also, I had these two ACL and I don't know if are needed now:
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
Thanks and regards
07-09-2009 05:46 AM
Can you attach your current config so I can review as I don't see where ACL 150 or 102 are applied in the partial config above.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide